<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Workspace-Isolation - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/workspace-isolation/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 29 Feb 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/workspace-isolation/feed.xml" rel="self" type="application/rss+xml"/><item><title>@grackle-ai/mcp Workspace Authorization Bypass in knowledge_search MCP Tool</title><link>https://feed.craftedsignal.io/briefs/2024-02-29-grackle-ai-mcp-auth-bypass/</link><pubDate>Thu, 29 Feb 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-02-29-grackle-ai-mcp-auth-bypass/</guid><description>The @grackle-ai/mcp package has a workspace authorization bypass vulnerability in its knowledge_search MCP tool that allows scoped agents to bypass workspace isolation and access knowledge graph nodes from other workspaces, leading to cross-workspace data leakage.</description><content:encoded><![CDATA[<p>The <code>@grackle-ai/mcp</code> package, specifically versions 0.70.1 and earlier, contains a critical authorization bypass vulnerability within the <code>knowledge_search</code> and <code>knowledge_get_node</code> MCP tools. This vulnerability allows scoped agents operating within one workspace to circumvent intended isolation boundaries and access knowledge graph nodes residing in other workspaces. This is due to the <code>knowledge_search</code> and <code>knowledge_get_node</code> handlers failing to properly receive or enforce workspace scoping via the <code>authContext</code>. This vulnerability poses a significant risk of cross-workspace data leakage in deployments where multiple workspaces contain sensitive knowledge graph data and scoped agents are utilized. The issue was reported on March 25, 2026, and is tracked as GHSA-647h-p824-99w7. Defenders should prioritize patching or implementing workarounds to mitigate this risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A scoped agent is deployed within Workspace A, possessing limited permissions within that workspace.</li>
<li>The attacker identifies the presence of the <code>knowledge_search</code> and <code>knowledge_get_node</code> tools within the <code>SCOPED_TOOLS</code> set, indicating their accessibility to scoped agents.</li>
<li>The attacker crafts a request to the <code>knowledge_search</code> or <code>knowledge_get_node</code> handler, supplying an arbitrary <code>workspaceId</code> parameter corresponding to Workspace B.</li>
<li>Due to the missing <code>authContext</code> and lack of workspace scoping enforcement in the handler, the request bypasses intended access controls.</li>
<li>The handler retrieves knowledge graph nodes from Workspace B based on the attacker-supplied <code>workspaceId</code>.</li>
<li>The data from Workspace B is returned to the scoped agent in Workspace A.</li>
<li>The attacker gains unauthorized access to sensitive knowledge graph data residing in Workspace B.</li>
<li>The attacker can exfiltrate or misuse the compromised data, leading to data leakage or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability results in cross-workspace data leakage, potentially exposing sensitive information stored in knowledge graphs across different workspaces. The number of affected deployments depends on the adoption rate of <code>@grackle-ai/mcp</code> with scoped agents and multi-workspace configurations. Successful exploitation can lead to unauthorized access to confidential data, impacting data privacy, compliance, and potentially causing reputational damage. The vulnerability affects any deployment where multiple workspaces contain sensitive knowledge graph data and scoped agents are used, putting organizations at significant risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade <code>@grackle-ai/mcp</code> to a patched version beyond 0.70.1 to address the authorization bypass vulnerability.</li>
<li>As a temporary workaround, remove <code>knowledge_search</code> and <code>knowledge_get_node</code> from the <code>SCOPED_TOOLS</code> set in <code>tool-scoping.ts</code> to restrict access to these tools for scoped agents.</li>
<li>Monitor the usage of <code>knowledge_search</code> and <code>knowledge_get_node</code> handlers for requests originating from scoped agents, and alert on any attempts to access knowledge graph nodes from different workspaces.</li>
<li>If scoped agents are not currently used in multi-workspace deployments, consider disabling them temporarily until the patch is applied.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>authorization-bypass</category><category>data-leakage</category><category>workspace-isolation</category></item></channel></rss>